Вы находитесь на странице: 1из 21

Office of Information Technology

Services
Oversight of Information Technology
Consultants and Contract Staffing

Report 2018-S-38 September 2019

OFFICE OF THE NEW YORK STATE COMPTROLLER


Thomas P. DiNapoli, State Comptroller
Division of State Government Accountability
Audit Highlights

Objective
To determine if the Office of Information Technology Services (ITS) is adequately monitoring
information technology (IT) services procured from consultants and contract staff to ensure
compliance with contract terms and deliverables. The audit covered ITS agreements between
April 1, 2015 and July 12, 2018 and subsequent documentation and information provided by
ITS through April 29, 2019.

About the Program


ITS provides statewide IT strategic direction, directs IT policy, and delivers centralized IT
products and services that support the mission of the State. ITS procures services through
consultants and contract staff and is responsible for monitoring services to ensure compliance
with contract terms and deliverables. ITS has a contracts and procurement unit that oversees
the procurement of contracts and other purchases, including those for IT services provided by
consultants and contract staff. ITS procures IT consultants or contract staff services through
a variety of mediums, including: Office of General Services centralized contracts, ITS agency
contracts, discretionary contracts, and stand-alone purchase orders. In the fiscal year ended
March 31, 2018, ITS had 747 contract employees supporting ITS functions and spent $50
million on contract labor.
Generally, contracts contain reporting requirements for contractors (e.g., performance metrics),
which serve as a means for ITS to accurately monitor contractor deliverables. In addition to
the deliverables and terms outlined in their contract or task order, contractors and consultants
must comply with the predefined standards – generic terms and conditions for all ITS contracts
– outlined within the State ITS Standard Contract Clauses.

Key Findings
ƒƒ We found that, in general, ITS is monitoring IT services procured from consultants and
contract staff to ensure compliance with contract terms and deliverables. For 14 of the 20
contracts we reviewed, ITS provided adequate oversight to ensure that the contractor or
consultant was meeting the deliverables.
ƒƒ For the remaining six contracts, for which ITS paid out more than $156 million,
deficiencies in contract monitoring – primarily of contractors’ reporting and documentation
requirements – create a risk that ITS may not have received the required deliverables.
ƒƒ Most notably, we found significant monitoring deficiencies for the International Business
Machines (IBM) Service Desk contract as compared to the others in our sample that
also had monitoring deficiencies. ITS did not require IBM to submit summary reports
that contained all the information required under the contract and that was necessary to
monitor contract deliverables. Furthermore, one year after the contract start date, ITS
executed a Project Change Request (PCR), including a pricing rate change. The PCR
removed Service Level Credits, which eliminated the opportunity to reduce payments

Report 2018-S-38 1
to IBM if certain performance metrics were not met. ITS did not provide documentation
showing the PCR was necessary or in the best interest of the State. Furthermore, ITS did
not obtain appropriate OSC approval for the PCR, as required.
ƒƒ For the five other agreements, ITS similarly did not obtain required reports or other
documentation from contractors or consultants or did not verify contractor or consultant
performance.

Key Recommendations
ƒƒ Strengthen monitoring of all agreements so that there is more consistency across ITS,
and ensure that all deliverables are met and received within the required time frame in
order to protect the interests of the State.
ƒƒ Formally evaluate the IBM Service Desk contract and take necessary steps to ensure that
the IBM contract staff are in compliance.

Report 2018-S-38 2
Office of the New York State Comptroller
Division of State Government Accountability

September 16, 2019

Mr. Joseph Rabito


Interim Chief Information Officer
Office of Information Technology Services
Empire State Plaza
P.O. Box 2062
Albany, NY 12220

Dear Mr. Rabito:

The Office of the State Comptroller is committed to helping State agencies, public authorities,
and local government agencies manage their resources efficiently and effectively. By so
doing, it provides accountability for the tax dollars spent to support government operations.
The Comptroller oversees the fiscal affairs of State agencies, public authorities, and local
government agencies, as well as their compliance with relevant statutes and their observance
of good business practices. This fiscal oversight is accomplished, in part, through our audits,
which identify opportunities for improving operations. Audits can also identify strategies for
reducing costs and strengthening controls that are intended to safeguard assets.
Following is a report of our audit entitled Oversight of Information Technology Consultants and
Contract Staffing. This audit was performed pursuant to the State Comptroller’s authority as
set forth in Article V, Section 1 of the State Constitution and Article II, Section 8 of the State
Finance Law.
This audit’s results and recommendations are resources for you to use in effectively managing
your operations and in meeting the expectations of taxpayers. If you have any questions about
this report, please feel free to contact us.
Respectfully submitted,

Division of State Government Accountability

Report 2018-S-38 3
Contents
Glossary of Terms 5
Background 6
Audit Findings and Recommendations 7
Monitoring of Deliverables 7
Recommendations 14
Audit Scope, Objective, and Methodology 15
Statutory Requirements 16
Authority 16
Reporting Requirements 16
Agency Comments 17
State Comptroller’s Comment 19
Contributors to Report 20

Report 2018-S-38 4
Glossary of Terms

Abbreviation Description Identifier


Agreement Constitutes either a contract or a HBITS task order Key Term
EMP Equipment Maintenance Program Key Term
GSMRT Global System Management Reporting Technology Tool Key Term
HBITS Hourly based information technology services Key Term
IBM International Business Machines Service
Provider
IT Information technology Key Term
ITS Office of Information Technology Services Auditee
ITSM Information Technology Service Management ticketing System
system
LATS Leave and Accrual Tracking System System
OGS Office of General Services Agency
OSC Office of the State Comptroller Agency
PCR Project Change Request Key Term
SLC Service Level Credit Key Term

Report 2018-S-38 5
Background
The Office of Information Technology Services (ITS) was established
in November 2012 as part of a New York State Information Technology
Transformation to consolidate and merge State agencies’ operations and
streamline information technology (IT) services. As the State’s centralized
technology agency, ITS provides statewide IT strategic direction, directs IT
policy, and delivers centralized IT products and services that support the
mission of the State. ITS has a contracts and procurement unit that oversees
the procurement of both contracts and other purchases, including those for IT
services provided by consultants and contract staff. According to ITS’ policies,
program managers are responsible for monitoring project deliverables and
timelines, and then determining if deliverables are acceptable and milestones
have been met.
ITS can procure IT consultants or contract staff services through a variety of
mediums, including:
ƒƒ Office of General Services (OGS) centralized contracts (e.g., hourly
based IT services [HBITS]);
ƒƒ ITS agency contracts;
ƒƒ Discretionary contracts; and
ƒƒ Stand-alone purchase orders.
In the fiscal year ended March 31, 2018, ITS had 747 contract employees
supporting ITS functions and spent $50 million on consultant and contract
labor.
HBITS are OGS centralized contracts. These hourly rate contracts are a
means by which many State agencies and municipalities acquire contractual
IT services for IT consultant work.
Generally, contracts contain reporting requirements for contractors (e.g.,
performance metrics), which serve as a means for ITS to accurately monitor
contractor deliverables. In addition to the deliverables and terms outlined in
their contract or task order, contractors and consultants must comply with the
predefined standards – generic terms and conditions for all ITS contracts –
outlined within the State ITS Standard Contract Clauses.

Report 2018-S-38 6
Audit Findings and Recommendations
We found that, in general, ITS is monitoring IT services procured from
consultants and contract staff to ensure compliance with contract terms
and deliverables. For 14 of the 20 agreements we reviewed, ITS provided
adequate oversight to ensure that the contractor or consultant was meeting
the deliverables. However, for the remaining six contracts, for which ITS paid
out more than $156 million, deficiencies in contract monitoring – primarily of
contractors’ reporting and documentation requirements – create a risk that
ITS may not have received the required deliverables.
Most notably, we found significant monitoring deficiencies for the
International Business Machines (IBM) Service Desk contract as compared
to the others in our sample that also had monitoring deficiencies. ITS did
not adequately monitor various areas of the contract to ensure IBM was
meeting the deliverables. ITS did not require IBM to submit summary reports
that contained the full range of what was required under the contract.
Furthermore, one year after the contract start date, ITS executed a Project
Change Request (PCR), including a pricing rate change, but did not provide
documentation showing it was necessary or in the best interest of the State.
Furthermore, ITS did not obtain appropriate OSC approval for the PCR, as
required.
For the other agreements, ITS did not always verify contractor or consultant
performance or obtain required reports or other documentation. For example,
we found that, for an equipment maintenance contract, ITS was unable to
verify the information provided by the contractor was accurate. ITS could
not cross-reference ticket information from the contractor’s internal ticketing
system to ITS’ own ticketing system.

Monitoring of Deliverables
ITS is not consistently monitoring all its agreements to ensure that contractors
or consultants have met the deliverables called for in each contract. For 6
of 20 contracts, ITS approved over $156 million to be paid to contractors or
consultants who did not fulfill all the contract deliverables.
We reviewed a judgmental sample of 20 agreements that included a
combination of contracts and HBITS vouchers that had IT service deliverable
components. Each HBITS voucher may contain multiple HBITS task orders,
and a HBITS task order may appear on multiple vouchers. Because the
task orders detail the day-to-day duties and qualifications for individual
consultants, we selected an associated HBITS task order for each HBITS
voucher in our sample. The agreements we reviewed included:

Report 2018-S-38 7
ƒƒ 13 ITS contracts, with spending totaling $396,687,369 between April 1,
2015 to March 7, 2019; and
ƒƒ 7 HBITS task orders, valued at $3,160,604 for the full length of the
individual task orders that we received, with the latest end date being
April 2, 2019.
We found that, although ITS has a contracts and procurement unit that
oversees the procurement of both contracts and other purchases, ITS’
monitoring of the consultants and contract staff is distributed among many
different units and employees throughout ITS, which creates inconsistencies
in monitoring and oversight. We found that, for 14 of the 20 agreements that
we reviewed, ITS provided adequate oversight to ensure that the contractor
or consultant was meeting the agreement deliverables. For the remaining 6
that we reviewed (see table below), ITS did not provide adequate oversight of
the contracts and task orders to ensure that the contractor or consultant was
meeting the required deliverables.

Contract/Task Order # Vendor Contract/Task Order Value


C000382 IBM $23,632,960
C000068 IBM $112,250,152
C000172 Verizon Wireless $10,846,928
PS65207 The Remi Group $8,172,772
03-02683 HBITS Task Order $1,412,280
01-00761 HBITS Task Order $225,920

C000382 – IBM – Service Desk


Contract C000382, which began in August 2016, was procured to provide
Level 1 IT Service Desk and Level 2 End-User Break-Fix Support services.
IBM was selected to provide Level 1 services (i.e., the entry point, or single
point of contact for all IT incidents and service requests by end users)
and its subcontractor would provide the Level 2 services – higher-level
break-fix support (incidents pertaining to any end-user devices that require
replacement). Level 1 IT Service Desk services include providing the
following:
ƒƒ The phone system that users call when they need assistance;
ƒƒ Password resets;
ƒƒ Answers to “How-to” questions for applications such as Microsoft Office
suite, Knowledge Base Tips, etc.;
ƒƒ Level 1 support for alert monitoring;

Report 2018-S-38 8
ƒƒ Content improvements to knowledge articles;
ƒƒ Level 1 support for business applications identified by ITS; and
ƒƒ Level 1 Voice over Internet Protocol support.
As outlined in the contract, IBM would address Level 1 Service Desk tickets
and try to resolve them to the extent possible before the tickets would be
escalated to Level 2. If the Level 2 ticket is for a break-fix, it is transferred
to the subcontractor; otherwise, it is transferred to a State employee. The
contract also has other specific requirements, such as:
ƒƒ IBM was required to report on specific performance metrics such as
speed to answer, abandoned call rate, response time, resolution time,
and customer satisfaction.
ƒƒ Where IBM did not meet metrics, Service Level Credits (SLCs) would
apply, resulting in a reduction in payment to IBM.
ƒƒ IBM was required to implement the Watson function, with a go-live date
within 180 days of the contract start date. (This functionality provides an
automated answer to end-users’ IT support questions, to be used as an
alternative for calls, chats, and emails directed to the Service Desk.)
In August 2017 – one year into the contract – ITS effected a Project Change
Request (PCR). ITS officials stated that the PCR changed a requirement
so that IBM was only allotted ten minutes to resolve the issue before it was
transferred. It also removed the SLC requirement for the Level 1 Service
Desk. We found ITS did not adequately monitor the Service Desk contract –
both pre- and post-PCR – to ensure that IBM was meeting the deliverables.

IBM Not Reporting as Required


The contract required IBM to submit annual and monthly reports and outlined
the specific information that should be included, such as statistics on
monthly actual and projected invoice amounts, actual monthly performance,
remediation plans where service level requirements had not been met, and
the sum of the SLCs. ITS uses these reports as one method to monitor
performance and ensure the contractor is complying with the contract
requirements. While ITS provided examples of monthly and even weekly
reports that described the Service Desk and Break-Fix end-user performance,
these reports did not note any actual and projected invoice amounts or the
sum of the SLC amounts, as required. Furthermore, the annual report that
ITS provided was only a one-page document that showed minimal monthly
performance information. That ITS accepts reports that do not contain the
appropriate information, as outlined by the agreement, indicates ITS is not

Report 2018-S-38 9
closely monitoring the services. In response to our audit findings, ITS officials
stated that they closely monitor these services through weekly reports, which
results in closer monitoring of the contract. However, the reports we received
did not contain full details of contract deliverables, such as performance
information. Additionally, they did not contain any actual and projected invoice
amounts or the sum of the SLC amounts because SLCs were never applied.

Validation of IBM Call Data


The monthly reports required by the contract contain annual statistics on the
contract, such as the number of calls received each month. ITS relies on
IBM to report accurately and does not verify the information on the reports.
Without a process for verifying reported data, ITS cannot be certain of its
accuracy.
We compared the number of calls received by the Service Desk for the period
November 2016 through October 2018 with Information Technology Service
Management (ITSM) ticketing data, which logs all Service Desk tickets, and
found discrepancies for each month: There were significantly more calls
received than tickets opened up through July 2017, but thereafter significantly
more tickets opened than calls received.
ITS officials stated that call data will never exactly match ITSM data and
provided possible explanations for the discrepancies: that users could call in
for a status update on the ticket, which would result in more calls than tickets,
or that multiple tickets could be opened as the result of one call because the
same issue is on multiple machines or the caller has more than one issue.
While we acknowledge the validity of these reasons, ITS does not verify the
information on the reports submitted by IBM and, therefore, does not know
the basis for the discrepancies and whether the call data provided by IBM is
reliable.
Additionally, ITS was granted access to the Global System Management
Reporting Technology Tool (GSMRT) for monitoring real-time and historic
reporting, with both standard and custom report functionalities. ITS officials
stated no one is currently utilizing the GSMRT system for monitoring because
IBM no longer uses the GSMRT tool. However, ITS was unable to provide any
detail or support to show if GSMRT was accessed or how the tool was used
for monitoring during any point of the contract period.

PCR-Related Issues
According to ITS officials, they executed the PCR due to the technical
limitations in State systems and the desire to maintain tighter controls on
protected State data, as well as to save money on the contract. In eliminating

Report 2018-S-38 10
SLCs, however, ITS also eliminated the opportunity to reduce payments to
IBM if certain metrics were not met.
ITS was unable to provide any reports to support whether the performance
metrics were or were not being met prior to the PCR going into effect, even
though IBM officials stated that all reports for the length of the contract were
provided to ITS. ITS officials did, however, inform us that the Service Desk
initially struggled with the incoming volume of calls and tickets, indicating that
the performance metrics were not being met prior to the PCR. ITS did not
receive any SLCs for this period. Our review of monthly reports subsequent
to the PCR indicated that IBM was also not meeting the metrics for the Level
1 Service Desk. With SLCs no longer an option, ITS could not realize any
underperformance-related cost savings.
Notably, ITS is unable to demonstrate that the PCR saved money overall
because no cost analysis was performed. Therefore, it may have been
more cost effective to apply SLCs where applicable than to implement the
PCR. In response to our audit findings, ITS officials stated they provided
documentation clearly showing improved performance and achievement of
required service levels because of the PCR; however, ITS provided no such
information, nor any documentation to show a pre-/post-PCR performance
analysis was performed. Furthermore, because ITS did not provide any
summary report that shows performance metrics prior to when the PCR took
effect, we could not compare Service Desk performance before and after the
PCR.
Additionally, the PCR changed the pricing rate agreed to in the contract. The
PCR changed the per-user rate charge from a fixed rate to a variable rate,
based on the amount of work performed by IBM. The variable rate will not
exceed the fixed rate agreed to in the original contract. However, according
to ITS officials, they are unable to confirm how the variable rate is actually
calculated by IBM but believe the rate is based on IBM’s own costs of doing
business. Without knowing how the rate is calculated or IBM’s “cost of doing
business” if that is, in fact, the basis, ITS has no way of knowing if the variable
rate, on a month-to-month basis, is accurate based on the amount of work
IBM is performing.
Furthermore, any contract changes that affect price require OSC approval.
ITS did not submit the PCR to OSC for approval prior to its execution. ITS
does not believe the pricing changed. However, a change in rate – from a
fixed rate to a variable rate based on amount of work performed – is a change
in the calculation of payment and, therefore, a change in the pricing of the
contract. Moreover, the original bids from other interested parties may have

Report 2018-S-38 11
been less if they did not have to factor in meeting performance metrics, with
potential SLCs attached.

Implementation of Watson Function


We also found IBM’s implementation of the Watson function and go-live date
of this function within 180 days of the contract start date did not occur. The
go-live date was not within 180 days from the August 2016 contract start
date; it was implemented nearly two years after the contract start date in June
2018. This functionality provides an automated answer to the end-users’ IT
support questions and is to be used as an alternative for calls, chats, and
emails directed to the Service Desk.

Other Agreements
C000068 – IBM – Data Center Services
ITS procured Contract C000068 to provide various performance and
deliverable-based services to State agencies for their Data Center Services.
One contract provision requires the contractor to provide ITS with monthly
progress reports, documenting maintenance service action items and their
status, as well as biweekly status reports. ITS was unable to provide us
with the monthly progress reports. Therefore, they are unable to monitor the
monthly progress and maintenance of such service equipment.
In response to our findings, ITS stated that it engages in more diligent
monitoring through the biweekly reports that it receives. The contract
language describing the information to be provided in the monthly progress
report is vague. Therefore, we cannot determine if different information was
required in each report. However, the required deliverables included both
monthly and biweekly reports.

C000172 – Verizon Wireless – Telecommunication Services


Contract C000172 was procured to provide comprehensive
telecommunication services, including installation, repair, modification, and
disconnection of circuits, for the State. One contract requirement states that
the contractor must provide monthly summary reports for closed trouble
tickets that relate to these services, including circuit numbers affected,
ticket numbers, reported trouble, open/closed circuits, trouble resolution,
and duration. ITS officials stated that, starting at some point in 2017 to
2018, they no longer receive the monthly summary reports that outline this
information. However, ITS officials later stated that the practice of receiving
the reports was discontinued prior to 2012, which is inconsistent with their
earlier response. During our closing conference, ITS officials also stated they

Report 2018-S-38 12
would provide auditors with the date that Verizon was officially notified that the
monthly reports were no longer required. However, ITS was unable to identify
or provide this information.
ITS was also unable to provide us with the report for closed trouble tickets
at any point during the contract period, including the period when they still
received this report. Officials did, however, furnish us with over two years of
actual closed trouble tickets, but only at our request, and the tickets did not
include all the pertinent information that the monthly summary reports are
required to contain. During our closing conference, officials noted that they
could provide the information we requested immediately; however, we did not
receive any further documentation.

PS65207 – The Remi Group – Equipment Maintenance Program


Contract PS65207 was procured for an Equipment Maintenance Program
(EMP) providing State agencies and authorized users with maintenance of
various types of equipment. The contract states that the contractor must
provide monthly reports for all EMP services provided to State agencies
or authorized users. While The Remi Group submits monthly reports, they
are generated from the contractor’s internal ticketing system. ITS is unable
to cross-reference tickets from The Remi Group’s system to its own ITSM
ticketing system and is thus unable to verify the information provided in
the monthly report. However, as a result of our audit, ITS stated that it has
strengthened controls and now requires the vendor to associate the ITS ticket
with all repairs performed and tracks this activity in its records so ITS can
more easily monitor the contractor’s monthly performance.

03-02683 – HBITS Task Order


Task order 03-02683 includes the services of five hourly based consultants
to develop, implement, and maintain a single statewide system for the State
for all licensing and permitting needs for a Grants and Licensing Program.
Time sheets should be completed contemporaneously with time worked to
ensure accurate reporting and correct payment for hours worked. For four of
the five consultants, time sheets were submitted much later, indicating that
ITS may not have been verifying that they had, in fact, worked the appropriate
amount of time or worked as they reported. For the four consultants, 18 of
the 32 Leave and Accrual Tracking System (LATS) time sheets sampled
were submitted 30 or more days after the end of the pay period, with the
latest submitted over 100 days after. ITS officials stated the consultants had
originally submitted paper time sheets and were later directed to re-enter their
previously submitted time into LATS once the contract was included in LATS.
ITS provided paper time sheets that were submitted and approved timely, for

Report 2018-S-38 13
14 of the 18 LATS time sheets submitted 30 or more days after the end of
the pay period. However, we question the validity of these paper time sheets
because of the delay in receiving this information. We shared this finding
with ITS officials on February 15, 2019, but this support wasn’t provided until
May 28, 2019, over three months later. As a result, ITS may not have been
verifying that these consultants were in fact working the appropriate amount
of time or working as they reported.

01-00761 – HBITS Task Order


Task order 01-00761 is for a consultant to provide remote support and
deployment of Thin Clients and XenApp environment, day-to-day services,
and maintenance of the Thin Client and desktop images. According to the
task order, the consultant must fully document the processes and procedures
and provide end-user training in use of applications. However, the insufficient
state of the documentation provided to us leads us to conclude that ITS did
not provide adequate monitoring to ensure the consultant complied with this
requirement. The brief, one-page document ITS provided appeared to be
incomplete, as the last of its numbered-series items was left blank without
any information, nor did it identify the author or the date it was created. In
response, ITS officials stated that the limited support was in part due to
attrition and transfer of the management of this contract from the End-User
Services area to the Public Safety Portfolio. We acknowledge that transitions
can introduce certain risks; however, with proper succession planning, this
situation may have been avoided.

Recommendations
1. Strengthen the monitoring of all agreements for greater consistency
across ITS, and ensure that all deliverables are met and received
within the required time frame in order to protect the interests of the
State.
2. Formally evaluate the IBM Service Desk contract and take necessary
steps to ensure that the IBM contract staff are in compliance.

Report 2018-S-38 14
Audit Scope, Objective, and Methodology
The objective of our audit was to determine if ITS is adequately monitoring IT
services procured from consultants and contract staff to ensure compliance
with contract terms and deliverables. The audit covered ITS agreements
between April 1, 2015 and July 12, 2018 and subsequent documentation and
information provided by ITS through April 29, 2019.
To accomplish our objective and assess internal controls related to our
objective, we reviewed State laws and regulations as well as ITS’ policies and
procedures. We interviewed ITS personnel to obtain an understanding of the
monitoring practices as a whole and for the agreements in our sample. We
analyzed ITS data related to the agreements such as LATS and ITSM. We
also analyzed contract and payment data within First New York and Open
Book New York. We analyzed 134,048 lines of ITS’ voucher data, which
included 359 contracts and 352 HBITS vouchers from April 1, 2015 to July 12,
2018 within First New York. Based on our audit work, we believe the data was
sufficiently reliable for the purposes of this audit. We selected and reviewed a
judgmental sample of 20 agreements from First New York, which included a
combination of contracts and HBITS vouchers that had IT service deliverable
components, to determine how ITS was monitoring these agreements and
whether the deliverables were being met. We selected the sample based
on factors such as the cost and recurring vendors. We additionally selected
various judgmental samples for support of the deliverables of the 20
agreements. Because we selected judgmental samples, the results cannot be
projected to the population as a whole.

Report 2018-S-38 15
Statutory Requirements

Authority
The audit was performed pursuant to the State Comptroller’s authority as set
forth in Article V, Section 1 of the State Constitution and Article II, Section 8 of
the State Finance Law.
We conducted our performance audit in accordance with generally accepted
government auditing standards. Those standards require that we plan
and perform the audit to obtain sufficient, appropriate evidence to provide
a reasonable basis for our findings and conclusions based on our audit
objective. We believe that the evidence obtained provides a reasonable basis
for our findings and conclusions based on our audit objective.
In addition to being the State Auditor, the Comptroller performs certain other
constitutionally and statutorily mandated duties as the chief fiscal officer of
New York State. These include operating the State’s accounting system;
preparing the State’s financial statements; and approving State contracts,
refunds, and other payments. In addition, the Comptroller appoints members
to certain boards, commissions, and public authorities, some of whom
have minority voting rights. These duties may be considered management
functions for the purposes of evaluating organizational independence under
generally accepted government auditing standards. In our opinion, these
functions do not affect our ability to conduct independent audits of program
performance.

Reporting Requirements
We provided a draft copy of this report to ITS officials for their review and
formal comment. We considered their comments in preparing this final report
and have included them in their entirety at the end of it. ITS generally agreed
with the recommendations and, in fact, noted steps they have already taken
and will continue to take to implement the recommendations. Our response
to ITS’ comments are included in the report’s State Comptroller’s Comment.
Within 90 days after final release of this report, as required by Section 170 of
the Executive Law, the Chief Information Officer of the Office of Information
Technology Services shall report to the Governor, the State Comptroller, and
the leaders of the Legislature and fiscal committees, advising what steps
were taken to implement the recommendations contained herein, and where
recommendations were not implemented, the reasons why.

Report 2018-S-38 16
Agency Comments

* Comment 1

Report 2018-S-38 17
* Comment 1

Report 2018-S-38 18
State Comptroller’s Comment
1. ITS’ assertion that it received enhanced reporting from the contractor on a weekly or
biweekly basis, which went above and beyond contract requirements of monthly progress
reports, is misleading. While ITS may be receiving more reports, it is not receiving all
the information required under the contract. As demonstrated on pages 9 and 10 of the
audit report, for example, the reports submitted did not contain the full details of contract
deliverable requirements, such as performance information and actual and projected
invoice amounts.

Report 2018-S-38 19
Contributors to Report

Executive Team
Tina Kim - Deputy Comptroller
Ken Shulman - Assistant Comptroller

Audit Team
Brian Reilly, CFE, CGFM - Audit Director
Nadine Morrell, CIA, CISM, CGAP - Audit Manager
Amanda Eveleth, CFE - Audit Supervisor
Thomas Sunkel, CPA - Examiner-in-Charge
Christian Butler - Senior Examiner
Anne Marie Miller, CFE - Senior Examiner
Emily Vandenburgh - Senior Examiner
Mary McCoy - Supervising Editor

Contact Information
(518) 474-3271
StateGovernmentAccountability@osc.ny.gov
Office of the New York State Comptroller
Division of State Government Accountability
110 State Street, 11th Floor
Albany, NY 12236

Like us on Facebook at facebook.com/nyscomptroller


Follow us on Twitter @nyscomptroller
For more audits or information, please visit: www.osc.state.ny.us/audits/index.htm